General

  • Target

    triage_dropped_file

  • Size

    291KB

  • Sample

    210707-vgj949jfba

  • MD5

    0596744a0d841da80190069d626eb899

  • SHA1

    2e1d746e7ea15e94b3a22c66cf1c40d8f0a931fa

  • SHA256

    d6c7b5f170665c8efc084b4f841ea26c4bfa6f7ed9ed6cbc6712c0a0788ae3cb

  • SHA512

    c97c4491d615b868c9eb94b4703ee52ada1e0f31d3cad357b217287a0c716125a5c246edf5182189514062d8e0228b421afdc13df462fb64676a355b7ba360af

Malware Config

Extracted

Family

hancitor

Botnet

0607_qxwd0

C2

http://hosouggs.com/8/forum.php

http://mancause.ru/8/forum.php

http://hievescits.ru/8/forum.php

Targets

    • Target

      triage_dropped_file

    • Size

      291KB

    • MD5

      0596744a0d841da80190069d626eb899

    • SHA1

      2e1d746e7ea15e94b3a22c66cf1c40d8f0a931fa

    • SHA256

      d6c7b5f170665c8efc084b4f841ea26c4bfa6f7ed9ed6cbc6712c0a0788ae3cb

    • SHA512

      c97c4491d615b868c9eb94b4703ee52ada1e0f31d3cad357b217287a0c716125a5c246edf5182189514062d8e0228b421afdc13df462fb64676a355b7ba360af

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Tasks